Find a Question:

Flip Feng Shui attack does leak ssh key from vm possible

Aug

11

2016

Researchers at the Free University and the University of Leuven have presented an attack on virtual machines. This is called “Flip Feng Shui ‘and makes it possible to manipulate the memory of another virtual machine on the same host, and so, for example, ssh to steal keys.

The attack works by virtual machines on the same host using a shared physical memory as set researchers on their page. To implement Flip Feng Shui, it is first necessary to identify memory cells with the vm the attacker susceptible to a so-called Rowhammer -aanval. It works by activating rapid succession certain memory rows, making the state of a cell is changed and a bit from 0 to 1 can be flipped. Then an attacker generates a memory page, the content of which corresponds to a page of the victim-vm.

Then deduplicates system both pages because the content is the same. Deduplicate is a technique by which memory can be saved. This attack shape example also occurred in earlier research of the team of scientist Herbert Bos, who also participated in this study. Once the content of the pages is collected on a physical memory page, the attacker through a Rowhammer attack manipulate the memory of the victim. In addition, the bits are flipped directly in the DRAM memory.

Flip Feng Shui, or FFS, for example, allows thereby flipping the bits of a stored OpenSSH key in memory, so the key can be retrieved. For example, the attacker can gain access to the entire server of the victim. Another example is that the researchers describe, is manipulating the apt get’ command, allowing malicious software on the victim vm can be installed.

Therefore, the impact of the attack is large, and all systems that support geheugendeduplicatie vulnerable. Also clear from previous research that 85 percent of all DDR3 modules is subject to Rowhammer. Until now, attacks often limited to virtual machines to side channel techniques, which focused on the interception of data. In this case, however, involves an active attack.

The Dutch NCSC is to showcase the attack by the researchers informed and has a fact sheet with a question-and-answer section published . Even parties like OpenSSH, GnuPG, Oracle, VMware, Xen and Ubuntu Attack informed. The researchers are part of VUSec , the Systems and Networking Security Group of the Free University in Amsterdam, and the University of Leuven. The current research can be found on the website of the research group.